Cargo Systems Messaging Service

CSMS #40726090 - FINAL NOTICE: Retirement of the Current Cisco EzVPN Solution

FINAL NOTICE

This is the final notice before the 12/31/19 deadline.  You must take action if your organization has not already done so. 

CBP is in the process of implementing a modernized solution for all trade partners currently using IBM MQ Client in conjunction with the use of Cisco Easy VPN Client (EzVPN) software.  Trade partners using EzVPN installed on a Cisco router or installed locally within their application environment are impacted by this change and must take action immediately.  The current Cisco EzVPN solution is being retired and effective December 31, 2019, will no longer be available for messaging with CBP. 

If either of the below are being utilized for connectivity to CBP, your organization is exempt from this migration process.

1. Lan to Lan (L2L) connection in conjunction with MQ Client or MQ Server
2. MPLS solution in conjunction with MQ Server 

If you are not currently engaged with CBP for transition to MQIPT, Lan to Lan or MPLS, you will be affected on December 31, 2019. We have been aggressively migrating CBP Trade Partners to the solution of their choice and we need to hear back from you due to this fast approaching deadline. Your EzVPN connection will not be supported beyond that deadline and it is in your best interest to make this a priority. 

The modernized solution for MQ Client connectivity involves a PKI certificate based connection methodology using IBM MQ Internet Pass-Thru (MQIPT).   There is no need for a Cisco router as this solution simply uses an internet connection.  The infrastructure needed to support MQIPT communication is in place at CBP and many trade partners have fully transitioned to the use of MQIPT.  

Affected trade partners will be required to upgrade their MQ Client software to version MQ V9+.  If you have not previously completed the VPN Information Questionnaire from a previous CSMS on this topic, please do so at your earliest convenience and return it to the CBP MQ Support Staff (MQSTAFFOPS@cbp.dhs.gov).  Once this information is received, a CBP MQ Technician will be assigned to your organization and additional documentation regarding this transition will be provided.  Following this initial contact, the assigned CBP MQ Technician will assemble and send an MQIPT “package” containing encrypted public key certificates and package installation information.  IF your organization uses the services of a software vendor to support your business needs, they are already aware of this effort.  CBP asks that you alert them to this updated CSMS message.

If your organization uses the CBP supplied sample program "CBPPTGT" as a part of your implementation, an updated version of this program supporting MQIPT will be provided.  The existing settings utilized by this program will continue to work with the updated version.

MQIPT remains the fastest migration solution and the certificate usually takes about 2 – 3 days to come back from DHS. Lan to Lan requires assistance from the DHS OneNet Network Group and although they are working on this in an expedited manner, the fast approaching holidays come with several blackout periods. If you choose the Lan to Lan option, please engage your CBP Client Representative immediately. Again, this is your last opportunity for migration so your organization does not get impacted after the deadline.